 Tom here from Learn Systems. And what if you could have a ransomware activated fuse where you have your NAS, and it's able to look at a baseline of the way users interact with the files on there and go, hey, this user is doing something beyond the norm. They're trying to, oh, I don't know, change thousands of files at once because their workstation has been infected with ransomware. What if your NAS could detect that and break that fuse? And let's go a step further because, well, it did encrypt some of the data. It did break some of the files. What if you had an easy way to roll that back to see what files that particular workstation had touched? So you first have disconnected it to stop further damage and then with maybe just a couple of clicks you can roll it back. Sounds like magic. Well, it's not, it's actually just some really clever programming for my friends over at 45 Drive. It's a new thing they have called Snapshield. I actually have gotten a demo of this prior to its formal announcement release. I've been talking to them, giving them some feedback on it. I am really impressed by it. So I invited them on my channel here. I also have a longer video linked down below right on the 45 Drives channel where they dive really deep into it. But we're gonna give this quick video where we just kind of go and overview of what it is and why I think it's so clever. And it's not that no one's had this idea before. It's that this idea is harder to implement than you might think. And there's a lot of insights that came out of it. So let's jump into that interview. And I'm joined by my two friends here at 45 Drives. Well, Brackelli at R&D here at 45 Drives. And I'm Mitch Hall, and I'm the lead storage architect here at 45 Drives. Yeah, and if you haven't seen their channel and watched the Tuesday Tips and everything else, I mean, these guys are regulators on there giving a lot of good information. And this is exciting. So I got to see a demo before you guys formally announced it. So full disclosure, I got to sneak preview of this. Got a personalized demo from the team over here at 45 Drives. And this is one of those ideas that's so simple, it's brilliant. But just because it's simple doesn't mean it wasn't hard to implement. And I think there's gonna be some more use cases that kind of fork off of this. But let's talk about the basics here. You're watching for these major file changes and then saying, hey, you have changed. You've created an anomalous amount of files. You've changed or rewrote, usually what a ransomware does. How hard was this to implement? We'll just start there. So when we started off really what we wanted to do is we knew we wanted to focus the scope to SMB file serving. And the reason why I wanted to do that is because we make use of audit logs in Samba very regularly. And so that gave us a nice targeted way to understand exactly what files are being written at any time during the workday. So that gave us a really easy way to be able to know exactly what files we wanted to zero in on. So we didn't have to crawl the file system consistently over and over again. So that was huge for sure. Yeah, and really, like you said, the idea was simple. And then you look at it's like staring at the sun, you're like, oh geez, how do we accomplish this? First you got to limit the scope. Luckily, everyone usually comes in through a Windows attack vector. So we went, great, let's start there. Yeah, and then from there, it really was getting a good understanding on how ransomwares behaved under the hood. And so that was really fun. I loved being in the lab. Actually, that was a bit of a challenge too. Yeah, like doing it safely. Yeah, we had to go tell our, we get pretty freedom to do what we need to do. But of course, our head of IT over at our parent company, Protocase. So I went over and gave him the idea of what we were doing. And he was like, you're gonna do what? Yeah, don't want to build a lab, a quarantine lab. It'll be perfect, yeah. So yeah, once we did that, like that was really fun. And what we did was we really kind of did some write-ups on exactly the behavior that all these ransomwares we were seeing. And we saw a lot of commonalities of course, right? And so really the idea was let's not develop this around one ransomware or another ransomware. Let's develop this around how ransomware behaves. And so then we can even get novel ransomwares that maybe haven't been developed yet. Exactly. And so that was really huge. And so once we kind of found, I think there's like seven or eight, I don't want to give away too much, but there's specific things that we look for in our file scoring system. And so an amalgamation of all of those things that we look at gives the file a score as it's being written. And so that's kind of the big, big secret sauce. And I think something people may not realize because this is something I've talked about. I believe you guys have talked about before on your channel is with ZFS because it has these snapshots and we can roll back in time, that it's a good protection once you know ransomware has detonated in your network. But one of the things that comes up is people assume ransomware is encrypting the entirety of the file. When in reality it only encrypts partial file, which is what makes us even more viable. Because the way that ransomware can effectively work is not to encrypt 10,000 files, that would actually take a long time. And when you look at how it works just go, it's only encrypting enough of it so it makes the file useless. But that actually is one of the advantages you have is with ZFS, you're not worried about that snapshot or that version of the file getting so big that you have a different problem where, well, we've kind of ran out of space because we kept versions and they just encrypted our versioning. So it actually probably helps a little bit for how quickly you can roll this back when it happens. Yeah, exactly. And not only ZFS, but ZFS as well. So that was another really big part of this as well. Obviously it was amazing to be able to stop ransomware in its tracks very, very quickly, but being able to use these copy on write file systems as like a one, two punch to be able to get you back up and back into production in record time was really cool. With minimal, you know, lost time or lost files, we don't have to roll back an entire snapshot and really affect everyone's workload. We could just, just the small amount of files that were touched before Snapshield kind of blows that fuse, we can just go in and we can pull that back from a few minutes ago. And then turns that ransomware really to a non-event kind of tag that we've been pushing because it's so true. Yeah, and being able to see exactly what was touched, that's always the question of how do we reverse it is what all was touched, where did they go and having these SMB logs is awesome. I actually like that you brought up that it's, it's all about how it intercepts the SMB. It doesn't matter if you're using ZFS or CEP, as long as you are using this tool, it has a methodology by which you can roll things back to where they were before the event. Yeah, actually you talked about like having snapshot of copies of files and like lock bit, for example, one of the really, really bad ones. That one actually, if you're using shadow copy, so let's say Windows snapshots, it's actually even able to corrupt those as well. So it's intelligent enough to go in and corrupt those volumes. So being able to have all of the actual data itself obfuscated on the ZFS and on the storage server side is another great benefit to this. Yeah, I've encouraged lots of people. I've got a project now, well, so I'll be reaching out to you guys again about this where a client's got just too much data stored on Windows boxes and that makes it that much more challenging. You put in a NAS storage solution like this, then combined it with Snapshield. You don't just have the benefits of a versioned system that is harder for ransomware to get at, but you have this, you know, put the Snapshield in there. Now we've got an entire solution that it doesn't matter what the latest ransomware is. If someone tries to encrypt your files, there's a way to snap back to the one previous. Exactly, I really like that. And I mean, don't get us wrong. I mean, while we can, we are definitely looking for commonalities between ransomware. So it doesn't have to be something that we've trained our algorithm on. We absolutely have probably like 15 now that we've trained Snapshield on, but the main point is, is even novel ones coming down the pipe should absolutely be falling into this umbrella. Yeah, it's an arms race, right? Yeah, exactly. Just saying here and say, I've defeated cyber. Yeah, ransomware. No, that's not how it works. So part of this whole process here is, yeah, we've got Snapshield. It's written in such a way that it watches for the characteristics of a big write load. So it's pretty good at what it knows and probably what it doesn't know yet. But internally, what we're doing here is our quarantine lab is a permanent part of our ecosystem now that we consistently, as we find stuff, train stuff, just beat the crap out of the thing. Because as always, you gotta keep fighting. Yeah, just like you said, it's an arms race. We develop this and then that actor will bring something eventually and it'll just goes back and forth. Which really what it comes down to too is a question that keeps popping up when we show it to people. It's like, oh, so I'm good. I just need this one tool. I was like, oh, no. This is another layer. Yeah, exactly. Just another layer, right? Another layer. Why not put a vault on your cash register? Someone might break in. Yeah, you've got all the, to use the store analogy, you've got your cameras, you've got your locks on your door, your network intrusion stuff. But what if they can get in? The last line of defense, baby. Might as well have that too. Yeah, exactly. And I think it's worth mentioning the other thing it can help protect against is if someone were to mass delete files, perhaps that would also trigger it too. So that my last day of work is about to be our MRI. Yeah, absolutely. That's huge. And actually just even in development too, because we're a kind of company that, as we make some, we're like, well, if it's gonna work, we should probably be the first guinea pigs to use it. So we've been running this thing on our internal business file server for months now. And of course we haven't had any ransomware attacks. We've done some fire drills to test that it works. But the metric plotting and just to watch of the right pattern, we found a couple things that other parts of the company, like some of the development tools that they put in place, were doing just weird right patterns that they didn't realize they were touching files too much. So here's a couple, just general kind of, the metrics and visibility it gives to your right workload on your file server. Well, just some interesting things we've mined out of that. Yeah, the ICT team can get like extra insight on how the file system is being used, right? Yeah. One of the things is where I was getting at is like 80%, we found that 80% of our regular requests were coming from certain applications that we had built internally. They're like, why is that happening? And then they're like, oh geez, we didn't know it was like that. So we were able to reduce the load on the server. Just from an analytics standpoint, that, you know, because you guys are using, is it Grafana in the back end too? Yeah, just having a nice analytics dashboard to go, hey, this is your file usage pattern opens up some more insights, especially at these large enterprise companies that, you know, what are the right patterns that we're having? So that's, I think that's some further stuff that will probably be coming out of this. Like you get the core product, but, you know, eventually there's some more ideas that'll pop out of this, I'm sure. Yeah, lots of cool stuff on the roadmap. Yeah, actually, thanks for saying that too. Cause one of the things we were looking at too is the like, if you have to manage a fleet of these things, how can we break it up such that you have a singular UI and it kind of talks everything micro-services wise that we've got some plans for that as well as read exfiltration. Right now we're watching for rights, we're snapping that shut as fast as we can and then hoping that the, knowing that the other network and protection will stop malicious things from leaving, but that's what ransomware does these days. They encrypt you and then they try to send your data back somewhere else. So that's big for us too, researching how it's a more subtle thing to catch then the onslaught of, or the tidal wave of rights that come in. So something to look at there, but read exfiltration and data leaving, if that's something we can catch too. I think there's a lot of potential for the whole data loss prevention. The DLP is best suited to be looked at from Samba, especially if you say, man, no one's touched these archive files from three years ago. Suddenly someone's interested in all of them. Yeah, yeah, exactly. And then again, kind of like the malicious, it's either, yeah, you got ransomware or I don't know, maybe you've got someone at your company, like you said, with the big RMRF, they have someone's venturing around somewhere they shouldn't and your access control lists aren't as tight as they need to be or something like that. I'm spit balling here, but you know, you could have a few canaries on there and look for those files to be transferred and that's how I figure it out. Yeah, absolutely. Look for this file name. If anyone pulls this file name, they're doing something mischievous because that file's there for only that reason. Exactly, yeah. Well, very cool guys. There is a much longer video linked to in the description below where you guys dive deep. It's a long demo, but worth it if you want, you walk through the entire process, how this works, how it all goes. And I watched it, it was great. And of course I got a demo, so I thought that was cool too, watching, seeing it in action. I think this is really clever. And I'm really looking forward to as this progresses and developed and everything else. And you reach out to the team over at 45 drives if you need your own personal demo or to get a little more in depth on it. So awesome guys and thanks. Thanks so much, Tom. Thanks for having us.